= Features/EnterpriseTwoFactorAuthentication = https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
Feature owner(s): Daniel Pocock daniel@pocock.com.au
Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.
== Detailed description == Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication. _______________________________________________ devel-announce mailing list devel-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce
FYI, FreeIPA is hoping to land two-factor auth support with MIT krb5 in roughly the same time-frame.
Nathaniel
On Tue, Jan 29, 2013 at 9:48 AM, Jaroslav Reznik jreznik@redhat.com wrote:
= Features/EnterpriseTwoFactorAuthentication = https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
Feature owner(s): Daniel Pocock daniel@pocock.com.au
Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.
== Detailed description == Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication. _______________________________________________ devel-announce mailing list devel-announce@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce
On Tue, Jan 29, 2013 at 9:48 AM, Jaroslav Reznik jreznik@redhat.com wrote:
= Features/EnterpriseTwoFactorAuthentication = https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
Feature owner(s): Daniel Pocock daniel@pocock.com.au
Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.
== Detailed description == Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.
Well, the main reason totpcgi doesn't use MySQL is because it hasn't been a requested feature so far. Adding support for mysql would be a couple of hours of work. Notably, using a database for this is a net loss in security, since not only are we transferring pre-shared secrets over the network now (hope you connect via ssl), but we also lose extra SELinux enforcement that is added onto tokens stored on the filesystem. Database backends should only be used when you want to add multiple redundant 2fa servers.
(I'm also worried that unixODBC doesn't appear to support advisory locking that we use in postgresql backend to make sure that we only allow one member of the redundant cluster to work on a token -- thus preventing potential race conditions allowing token reuse.)
My main objection, though, is that this feature implies that there currently isn't a "flexible solution for two-factor authentication suitable for enterprise" in Fedora. While totpcgi doesn't currently provide a lot of SSO options (if you don't count Radius -- which you really shouldn't), that's mainly because there are so many SSO options to choose besides just OpenID.
Best,
Jaroslav Reznik (jreznik@redhat.com) said:
= Features/EnterpriseTwoFactorAuthentication = https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
Feature owner(s): Daniel Pocock daniel@pocock.com.au
Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.
== Detailed description == Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.
I'd really prefer this be retitled in a way that more clearly defines what it is (i.e., Add SimpleIDandDynalogin2FA). As you can see from the responses, the definition of what is 'Enterprise' lies in the beholder.
Bill